While the threat landscape continues to evolve, from ransomware to nation-state attacks, there is no doubt that proper security logging and monitoring continue to be critical in helping to detect – and prevent — breaches. In fact, last week CISA issued an advisory that said analysis of network logs confirmed public-facing servers at a U.S. federal agency were compromised by hackers through a vulnerability in Adobe’s ColdFusion product. Logs are also needed to perform general audits, establish baselines, and identify operational trends and longer-term problems and are required to meet various laws and standards, such as Federal Information Security Modernization Act, HIPAA, Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, and PCI DSS.
Yet getting logging and monitoring right is not easy, which is why Security Logging and Monitoring Failures is number nine on OWASP Top 10 list. According to a new GAO report, as of August 2023, only three out of 23 federal agencies had met the required event logging standards as stipulated by the 2021 Executive Order 14028, Cybersecurity Incident Response Requirements and Status of Completion.
The Need to Make Logging and Monitoring a Priority — Again
As IT environments have become more decentralized, logging has been given lesser priority: How to log? What to log? Where to log? In fact, we have seen a turn towards more soft governance rather than hard governance – a small horizontal DevOps team or security team can’t manage and maintain logs in a decentralized environment. They will say, “Here are the things that you need to follow,” and then move on. Unless there is an incident, they won’t know. DevOps and security teams also should be able to derive the starting point of that attack: Where is the source? Which was the source? They should also be able to correlate between all their applications in their enterprise. If not, the IT environment will be a sieve, with plenty of security holes that attackers will leverage to gain access to your most valuable data and IP.
It’s time to make logging and monitoring a priority again and keep in mind the following best practices:
Ensure logs are capturing high-value transactions, failed logins, and other scenarios
For every application, you need to do an appropriate level of auditing and logging. But you also need to make sure that you are capturing certain scenarios and situations. Many security logging failures are due to omission — not all the right scenarios are being logged. For example, let’s say someone is trying to change a password or making a highly sensitive or valuable transaction like a bank transfer. All these activities – and more including logging failures such as password change failures — need to be logged.
Customize your logging solution
There are numerous security event logging and monitoring solutions available today. Regardless of what log monitoring solution you use, you need to customize it for your enterprise to ensure you improve the security posture of your business. In addition to the vendors themselves, there are several industry organizations that provide frameworks that can provide guidance. Logging is critical for incident response – it can help detect when a cyberattack took place, and how and where it started.
Avoid adding sensitive information
As part of the logging process, organizations sometimes may inadvertently add sensitive information and then forget to remove it while testing or while debugging and the data gets into production. Also beware of log injection and log forging. With both techniques, hackers may try to insert unwanted data, and, if they do have the capability, say, “Okay, now that I’m able to insert the logging, let me insert executable scripts into it.” So whichever application is trying to manage the monitoring, they can go one level beyond logging and try to corrupt and take over the enterprise.
Keep log content or log files in a secure area
Often, security practitioners will keep log content or log files in a less secure area because they mistakenly think that the threat is coming through the DMZ, which is protected. But hackers will break through the logging mechanism to access the log file if there is no security.
And don’t forget monitoring
In addition to knowing what to log, when to log, and on what condition to log, organizations also need to monitor the logs on a periodic basis. And then not only monitor, but also set up a threshold, automate the log and send out alerts when anomalies are detected. When it comes to proper log management, everything should be there, from logging to alerts, to ensure you are closing any security gaps.
Proper security logging and monitoring is key to every enterprise’s security-in-depth approach. It’s time to take a fresh look at your process and make sure you are capturing and monitoring the most important transactions of your business. As attackers adapt to successfully infiltrate their targets, organizations too must continue to adapt their traditional security methods to stay ahead of the threat.